Audit activities can span a number of corporate functions, including IT, finance, management systems, and operations. They also provide greater transparency of the business operations of an organization. The Institute of Internal Auditors (IIA, www.theiia.org) suggests that an internal audit is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.”

The process by which most organizations conduct audit activities can be summarized in Figure 1. Based on what triggers an audit schedule — perhaps business planning rounds, regularly scheduled risk mitigations, or even a compelling period of poor business performance — there is an element of planning in the form of scheduling and a level of pre-audit assessment. In a traditional audit process, this planning could include notification of the business operations or functional group that participates in the audit, the areas of the audit scope, and the schedule by which the audit is conducted.

Figure 1

Traditional major phases of internal audit activities (Source: Adapted from IIA, University of Illinois materials)

Once the audit activities commence, a number of execution activities occur, including the formal launch of the audit, field work and examination, the development of working or so-called brown papers that consist of document comments and observations, and finally the formal audit findings. These findings and supporting documents are then presented in an exit conference during which the rationale of audit findings may also be shared. In a traditional setting this is the last on-site (or in today’s technology environment real-time) activity that occurs before the final report is developed and distributed to the organization. The organization then considers any corrections that need to be made or improvements to deficiencies found in the audit that need to implemented in the organization to improve business operations or meet a required level of compliance.

An internal audit adds value by providing key management- and board-level stakeholders with assurance that governance processes are effective, while identifying areas that can be improved. This assurance gives the stakeholders peace of mind, because they know they can rely on management’s governance and risk management processes, as well as the related systems of internal control.

In today’s economic environment, however, traditional labor-intensive audit models are difficult to justify. Opportunities to effectively and efficiently manage the traditional audit process and to augment with desk reviews conducted without a presence on-site make the audit process more palatable and cost-effective, particularly for small and midsized companies. In addition, the need to have audit processes use technology and be more tightly integrated with governance, risk, and compliance (GRC) processes suggests a next-generation, full lifecycle audit approach that addresses these new requirements of speed and efficiency that traditional models may lack.

Key Success Factors for Next-Generation Audit Management

Software has enabled internal audit functions to be more efficient and effective. Its improving functionality and value proposition are expected to bring even greater benefits in the future and address current economic constrictions and governance needs in the business environment, including:

• The planning, management, and execution of internal audit projects
• Enterprise risk management processes, in which internal audit risk assessment is integrated
• Data mining and analytics
• Automated testing, including the documentation of results and the monitoring of related action items
• Continuous monitoring and auditing of risks and controls

SAP solutions address these more significant technology needs of the internal audit function. SAP NetWeaver’s audit management can be used in an audit management environment with other SAP applications, such as:

• SAP BusinessObjects Risk Management
• SAP BusinessObjects Access Control
• SAP BusinessObjects Process Control
• SAP BusinessObjects Business Intelligence

In the next section I show you how to use SAP Netweaver’s audit management functionality to structure your audit program, integrate that program with various SAP tools, and create greater transparency using enterprise risk management approaches.

Planning and Executing Successful Audits Using SAP NetWeaver’s Audit Management

To establish a plan for an audit, an audit team member or program manager may use an existing audit framework (e.g., a repeat visit to a facility or a similar audit event at another facility) by accessing SAP NetWeaver audit management and using the Change Audit screens to highlight the data objects of the audit. In the case of a new audit, an audit team member or program manager creates a new audit event using the Create Audit screen. Using an existing audit event through the Change Audit screen is shown in Figure 2. From this screen you may view or build the full hierarchy of audit data objects. In most cases the master data needed to effectively build an audit event includes:

• An audit plan: Actual event plan encapsulating specific activities and events
• Audit: Process and definition and schedule of the audit
• An audit program: Functions or operations defined in the audit and the areas of the business the audit addresses, including question lists to be used
• Audit steps: Specific steps an audit program follows for a given function or operation defined in the audit
• Audit remediation: Specific recommendations and corrective actions that are delivered as a part of the audit findings

Figure 2

The description of an audit using the key master data components of SAP NetWeaver’s audit management Change Audit screen

You can also use the Audit Monitor screen (Figure 3) for gathering all the key master data information, in similar use and function as the EasyDMS document management feature with which most SAP users are familiar. Once the information is related to the master data and mapped to the Audit Monitor, you can track the performance of audit activities and tasks and by whom they have been accomplished (I address this topic later in the audit activities section).

Figure 3

The Audit Monitor function allows for the planning and tracking of audit activities

SAP BusinessObjects Risk Management’s enterprise risks can prepare specific audit plans. Those audit plans can be associated with any risk remediation activities about which the enterprise is aware. Note that the risk analysis plan precedes the audit plan, but the important point is that as part of planning an audit, you can have visibility into key areas of the business using SAP BusinessObjects Risk Management. This visibility can help drive a more effective and meaningful audit plan (Figure 4).

Figure 4

SAP BusinessObjects Risk Management can associate audit plans to enterprise risk

Once you plan the audit, associate it with enterprise risks, and load the audit master data, you can create a risk-based audit plan in the Microsoft Project schedule format that can be used in the field (Figure 5). There are two ways to generate a Microsoft Project schedule. The first approach is to export this directly from SAP BusinessObjects Risk Management once the risk activities are associated and scheduled. The other approach is to simply structure the activities in SAP ERP Project System and then export the Microsoft Project schedule from ERP PS.  Depending on which users have access to specific modules as part of process controls, sometimes representing the activities in both SAP BusinessObjects Risk Management from an enterprise risk management view, as well as SAP ERP PS from an enterprise schedule view, is advisable.

Figure 5

SAP BusinessObjects Risk Management can export audit plans to Microsoft Project for field use

The SAP NetWeaver audit management function (Figure 6) allows the user to keep a record of previous audits, including templates, remediaton forms, and question sets. You can reuse a template simply by double-clicking the resource. The resource appears in the Create Audit screen so that you can create a new audit plan based on a previous template.

Figure 6

You can reuse audit templates easily to create new audit plans

During the execution stage of an audit, work papers often suggest corrective or preventive actions in real time. SAP NetWeaver audit management allows you to identify these work papers and capture remediation actions on the fly so that these can be automatically summarized in the findings report. Figure 7 shows how you can quickly capture an idea —  in this case the issue of process knowledge of the organization relative to the audit scope — and log it during the audit so that it can be reviewed and assembled later in the final report.

Figure 7

Remediation steps, such as corrective and preventive actions, can be added during execution

During the audit it is often important for the auditors only to have access to in-process activities because these activities and findings are changing with additions and edits until the final exit conference. SAP BusinessObjects Access Control and SAP BusinessObjects Process Control can be used to allow the audit team to have access to in-process documents and records without making this information available to the other members of an organization, until such time as it is formally published.

Once the audit has been completed, the findings have been reviewed, and recommendations for remediation steps have been assembled, the final report can be quickly generated using an existing template, or through the use of a new document template. You can access this via the Change Audit screen, which allows you to select the specific audit program. You then click the Print Preview command to generate an audit report document that can be saved, emailed, or printed for use in the exit conference and subsequent business operations (Figure 8).

Figure 8

Audit reports can be quickly generated and printed, saved, or emailed to provide an audit record

Additional Planned Integration with SAP BusinessObjects GRC 10.0

With the new features released earlier this year with SAP BusinessObjects GRC 10.0, users can find deeper integration, in particular between SAP BusinessObjects Risk Management and SAP NetWeaver’s audit management functions. SAP BusinessObjects Risk Management allows for a deeper creation of audit plans, audit programs, and audit steps as a means to address enterprise risk. These data objects may be assigned readily to new or existing audits inside SAP NetWeaver’s audit management. In addition, planned enhancements include deeper relation of audit activities and data objects back into SAP BusinessObjects Risk Management for integrated risk analysis and exposure assessment as a part of enterprise risk management, control testing, and issue/performance improvement management activities.

William Newman

William Newman, MBA, CMC is managing principal of Newport Consulting Group, LLC, an SAP partner focused on EPM and GRC solutions. He has over 25 years of experience in the development and management of strategy, process, and technology solutions spanning Fortune 1000, public-sector, midsized and not-for-profit organizations. He is a Certified Management Consultant (CMC) since 1995, qualified trainer by the American Society of Quality (ASQ) since 2000, and a trained Social Fingerprint consultant in social accountability since 2012. William is a recognized ASUG BusinessObjects influencer and a member of SAP’s Influencer Relations program. He holds a BS degree in aerospace engineering from the Henry Samueli School of Engineering and Applied Science at UCLA and an MBA in management and international business from the Conrad L. Hilton School of Management at Loyola Marymount University. He is a member of the adjunct faculty at both Northwood University and the University of Oregon with a focus on management studies and sustainability, respectively.

If you have comments about this article or BI Expert, or would like to submit an article idea, please contact the editor.

You may contact the author at wnewman@newportconsgroup.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.